Preparing Annual Risk Management Strategy

Organizations would be focusing on preparing the risk management strategy and plan for 2011 as it is the last quarter of the year. Normally, Chief Audit Executives, Chief Risk Officers, Head of Internal Audit, Chief Information Security Officers, Head of Compliance, Head of Ethics and Head of Fraud Risks are very busy in the last quarter finishing off the year-end targets, objectives and key performance indicators. The next year strategy is developed from the previous year reports, observations, balance score cards and risk dashboards. A simplistic risk management strategy focuses on the following:

1) Financials -Developing a budget and other cost indicators

2) Operations- Preparing audit and review schedules. Listing out policies, procedures and manuals to be prepared and reviewed.

3) Resources- Formulating a hiring and a training plan

4) Knowledge – Developing knowledge bases, writing research papers and upgrading risk management tools and software.

Risk management has become complex and critical in the present economic environment. Without sophisticated and skilled risk management departments the organizations may face multiple disaster scenarios. Globalization, technology, economic environment, regulators, competitors, and speed of change, all have contributed in making business operations more complex. Risk management departments need to gear up and develop annual strategy considering these aspects in mind.

Five suggestions for preparing a comprehensive annual strategy are given below:

1. Break the Silo Approach

Depending on the size of the organization, the organization may have a number of departments focusing on risk management. To name some, in respect to the department heads mentioned in the first paragraph, we have Internal Audit, Fraud Prevention & Investigation, Compliance, Information Security and Business Ethics. These departments generally have some overlapping functions and turf wars. Silos are formed and the senior management has difficulty in making sense of various risk dashboards and reports presented by the department heads.

Prepare individual plans for the departments and roll them upwards to have a combined one of all risk management departments. Prepare one single strategy and plan for the organization as a whole to present the same to senior management. Present a plan to the management which emphasis on the top risks to the organization, with a plan to mitigate and control them. The management will have higher respect and provide greater support to the integrated approach. Various risk management departments will also be able to save cost and time on monitoring various risks by reducing duplication of work, leveraging synergies and sharing tools and information.

2. Determine Risk Philosophy and Appetite of the Organization

In some cases, the risk management departments present a risk dashboard to the senior management of the organization. If the CEO of the organization asks “Can I hold you on this? Are you sure that if these top 10 risks are mitigated, the organization will sail through the year?”; the head of the department generally cannot a say a definitive “yes”. The answer is given with a maybe, but, if etc. but not a “yes”. So the question is how should a head of department address this concern.

Risk managers need to determine the risk philosophy and appetite of the organization. To assess the risk philosophy, understand the organization culture and environment. The way business operations are conducted daily and the organization’s strategy are good indicators to find the risk philosophy. Assess whether business has an aggressive or conservative attitude towards risks for achieving business goals.

Risk appetite is the amount of risk which the organization is willing to take to undertake business activities. A simple question to ask the board of members would be -“What amount is going to make you uncomfortable if it appears in the business newspapers?” Consolidate the risk exposures from the various risks identified by the risk departments and present it to the board. Finally, assess whether the company’s internal outlook on risk philosophy and appetite are consistent with the viewpoints of the board and other stakeholders. Realign the two where required to prepare the annual strategy.

3. Understand and Integrate with Business Strategy

In a few companies, the annual strategies and plans of business and risk management are drawn up in parallel, with neither having information of what the other is planning. The risk management strategy cannot be internally department focused. The risk department heads need to obtain information on the business strategy of the organization to understand strategic risks.

For example, obtain information on new products and services which the organization is introducing in the coming year. Identify the territories, branches, and countries which the organization is planning to expand its business operations. Determine what will be the risks of expansion and innovation. Let us say, a USA company is planning to introduce its products in India. Now India has different laws, regulations and taxes. Also, the operational risks are different. Understand these risks and integrate them in the annual strategy and plan. This way, neither the risk management departments nor the business operation departments will be surprised. The budgets and plans would be incorporated and approved before the year commences, hence there will be limited fire fighting.

4. Focus on Building Relationships

One of the grouses which risk departments have is that they are not on CXO’s radar, do not have direct reporting to the top or representation at the board and are sidelined from the critical business operations due to negative perceptions.

Plan for the coming year and prepare a wish list. Include in it time required from CEO and other CXO’s, formation and membership of risk oversight committee, a new organization structure with the head directly reporting to CEO and a nomination at the board. Discuss these aspects with the CEO and senior management during plan preparation. This will ensure that the senior management schedules the requirements in their plans. Insist that the CEO puts risk management as one of the points in his/her personal balance score card. This will make sure he/she is dedicated and committed to risk management throughout the year.

Discuss the composition of the risk oversight committee and audit committee. Identify the members you wish to nominate who support risk management initiatives. Define the process of reporting to the board and the audit committee. Get their commitment for board nomination and new organization structure for risk management departments. Start the groundwork for building relationships at the planning stage itself.

5. Assess Competitors Strategies

The risk departments are generally happy with what they are doing and discover information about tools and methodologies from various institutes periodicals, magazines and conferences. In a few cases there is some focus on the operations of risk management departments of competing businesses and organizations.

Determine which organizations are competition to the business in respect to products and services in various territories. Focus on finding information of the risk management department operations of these organizations. Find out which risks the organizations faced, how they were mitigated, what kind of tools and knowledge bases they are using, what are the staff strength and the skill set and the organization structure. Will some of the practices result in cost savings and better synergies within business? Determine the similarities and differences, and assess what can be incorporated in your organization effectively. There are some lessons which can be learned from competitors success and failures. Leverage on competition knowledge to learn these lessons.

Posted in Uncategorized | Comments Off on Preparing Annual Risk Management Strategy

Enterprise Risk Management and the PMBOK

Enterprise Risk Management is a term used to describe a holistic approach to managing the risks and opportunities that the organization must manage intelligently in order to create maximum value for their shareholders. The foundation for the approach is the alignment of the organization’s management of risks and opportunities to their goals and objectives. One of the keys to this alignment is the “Risk Appetite” statement which is a statement encapsulating the direction the Board gives management to guide their risk management methods. The statement should describe in general terms what kinds of risk the organization can tolerate and which it can’t. This statement plus the organization’s goals and objectives guides management in the selection of projects the organization undertakes. The statement also guides management in setting risk tolerance levels and determining which risks are acceptable and which must be mitigated.

This article will attempt to review Enterprise Risk Management (ERM) and relate it to the best project management practices found in the PMBOK® (4th Edition). The source for most of my information about ERM comes from a study published by the Committee of Sponsoring Organizations (COSO) of the Treadway commission published in 2004. The Treadway commission was sponsored by the American Institute of Certified Public Accountants (AICPA) and the COSO consisted of representatives from 5 different accounting oversight groups as well as North Carolina State University, E.I. Dupont, Motorola, American Express, Protective Life Corporation, Community Trust Bancorp, and Brigham Young University. The study was authored by PriceWaterhouseCoopers. The reason for listing the oversight committee and authors is to demonstrate the influence the insurance and financial industries had over the study.

The approach suggested by the study, which is probably the most authoritative source of ERM information, is very similar to approaches taken to managing quality in the organization in that it places emphasis on the responsibility of senior management to support ERM efforts and provide guidance. The difference here is that, while Quality methodologies such as CMM or CMMI place the responsibility on management to formulate and implement quality policies, ERM takes responsibility right to the top: the Board of Directors.

Let’s go through the study recommendations and relate them to the processes recommended in the PMBOK. To refresh your memories, those processes are:

Plan Risk Management
Identify Risks
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Response
Monitor and Control Risks

ERM begins by segregating goals and objectives into 4 groups: strategic, operations, reporting, and compliance. For the purposes of managing projects, we need not concern ourselves with operational risks. Our projects might support implementation of reports and our projects may be constrained by the need to comply with organizational or governmental guidelines, standards, or policies. Projects in the construction industry will be constrained by the need to comply with the relevant safety laws enforced in their location. Projects in the financial, oil & gas, defense, and pharmaceutical industries will also be required to comply with government laws and standards. Even software development projects may be required to comply with standards adopted by the organization, for example quality standards. Projects are a key means of implementing strategic goals so goals in this group are usually applicable to our projects.

The study recommends 7 components:

Internal environment The key component of the internal environment is the “Risk Appetite” statement from the Board. The environment also encompasses the attitudes of the organization, its ethical values, and the environment in which they operate.
PMBOK® Alignment The description in the study is actually very close to the description of Enterprise Environmental Factors. Enterprise Environmental Factors are an input to the Plan Risk Management process. The PMBOK also refers to the organization’s risk appetite in their description of Enterprise Environmental Factors, as well as attitudes towards risk.
Objective Setting Management is responsible for setting objectives that support the organization’s mission, goals, and objectives. Objective setting at this level must also be consistent with the organization’s risk appetite. The objective setting here may refer to objective setting for the project, as well as any of the other 4 groups.
PMBOK® Alignment Goals and objectives should include those that pertain to risk management. The project’s Cost and Schedule Management plans are input to the Plan Risk Management process. These documents should contain descriptions of the goals and objectives in these individual areas. These goals and objectives may determine how risks are categorized (Identify Risks), prioritized (Perform Qualitative Risk Analysis), and responded to (Plan Risk Response).
Event Identification Events that pose a threat to the organization’s goals and objectives are identified, as well as events that present the organization with an opportunity of achieving its goals and activities (or unidentified goals and objectives). Opportunities are channeled back to the organization’s strategy or objective setting processes.
PMBOK® Alignment This component aligns exactly with the Identify Risks process from the PMBOK. The only significant difference here is the recommendation that opportunities be channeled back to the organization’s strategy of objective setting processes. The PMBOK offers no guidance here but this component can be supported by simply referring any opportunity not identified with an existing project goal or objective back, to the project sponsor.
Risk Assessment Risks are scored using a probability and impact scoring system. Risks are assessed on an “inherent and residual” basis. This simply means that once a risk mitigation strategy has been defined, its effectiveness is measured by determining a probability impact score with the risk mitigation strategy in place. This score is referred to as residual risk.
PMBOK® Alignment This component aligns closely with the Perform Qualitative Risk Analysis process. This process provides for the probability and impact scoring for the identified risks. The Monitor and Control Risks process also supports this component. This is the process that measures the effectiveness of the mitigation strategies. This is the process that will determine the residual risks.
Control Activities Policies and Procedures are established to ensure that risk responses are effectively carried out.
PMBOK® Alignment This component is supported by the Plan Risk Management process. The output of this process is the Risk Management Plan which describes the risk management procedures the project will follow. Keep in mind that Control Activities is wider in scope than Plan Risk Management, the Plan will only cover those procedures that pertain to the project. The Monitor and Control Risks process also supports this component. This process ensures that the procedures defined in the plan are carried out and are effective.
Information and Communication This component describes how information pertaining to risks and risk management is identified, captured, and communicated throughout the organization.
PMBOK® Alignment This component is actually supported by the processes in the Communications Management knowledge area. The processes in this area manage all project communications. The Risk Management Plan will identify the information, how it is captured, and how it is maintained. The Communications Plan will describe to whom, when, and how the information is to be communicated.
Monitoring Specifies that ERM is monitored and changed when necessary. Monitoring and change are performed in 2 ways: ongoing management activities and audits.
PMBOK® Alignment Monitor and Control Risks supports this component. This process uses Risk Reassessment, Variance and Trend Analysis, Reserve Analysis, and Status Meetings to monitor risk management activities and ensure that the activities are meeting the project’s goals and objectives. This process also describes audits as a technique for determining whether planned activities are being carried out and are effective. One of the outputs of this process is updates to the Risk Management Plan in the case where activities are not effective in controlling risks. Preventive and Corrective actions are also recommended to address cases where activities are not being carried out, or are incorrectly performed.

ERM provides for assurance that it is effective by determining if all 7 components of ERM have been provided for, across all 4 categories of organizational goals and objectives. Project management will not cover off all areas of each component in each category, but will cover those organizational goals and objectives supported by the project and all the reporting and compliance goals and objectives that apply to the project.

Internal Control for ERM is provided for by the guidelines described in the Internal Controls – Integrated Framework document authored by COSO. We won’t go into detail describing these guidelines but treat them at a summary level. The ERM study aligns with the guidelines and refers the reader to that document for compliance details. The details of compliance would concern an organization implementing ERM but that must be instigated by the Board and would only concern a project manager if they were to be responsible for a project which implemented ERM. The guidelines place risk controls with other internal controls of the organization (keep in mind these guidelines are insurance and finance-centric). The guidelines provide for the assignment of responsibilities to 3 organizational roles: the Chief Financial Officer, the Chief Information Officer, and the Chief Risk Officer. The Chief Legal Officer is identified in lieu of a Chief Risk officer. The CFO is responsible for monitoring internal control of financial reporting, the CIO is responsible for monitoring internal control over information systems, and the CRO is responsible for monitoring internal control over compliance with laws, standards, and regulations. The guidelines re-iterate that risk management tone is set from the top of the organization as evidenced by the company officers responsible for monitoring.

The Internal Control – Integrated Framework guidelines also acknowledge that monitoring and control are prone to human error and that not all procedures have equal importance. They address this by the identification of the most critical procedures using “key-control analysis”. Key-control analysis is used to determine whether control procedures and processes are effective. The guidelines also attempt to provide direction in the identification of preventive or corrective actions to improve internal controls. They do this by evaluation of the information measuring the effectiveness. Only if the information is “persuasive” should corrections be made. The guidelines provide for internal audits of internal control procedures but acknowledge that every organization may not be large enough to warrant that role and that there is a place for external audits in internal controls.

Most of the reporting the project manager will be responsible for will be what the guidelines term as “internal”, that is the reports will only be read by management. In some cases reports may be read by 3rd party external organizations. The project manager’s reportage on risk management on their project may form a part of the information reported externally, but the project manager should not be made responsible for reporting externally.

The guidelines require that implementation of a framework be scaled to suit the size and complexity of the organization it serves. Scalability will require the organization to identify who will be responsible for a given activity. For example, the organization may not have a Chief Risk Officer in which case some other role must be identified for compliance responsibility. This responsibility will be delegated to the project manager when any compliance objectives form part of the project’s objectives.

Posted in Uncategorized | Comments Off on Enterprise Risk Management and the PMBOK